Harboring Data: Information Security, Law, and the Corporation

Harboring Data

Information Security, Law, and the Corporation

Andrea M. Matwyshyn

Stanford University Press

Stanford, California

©2009 by the Board of Trustees of the Leland Stanford Junior University.

All rights reserved.

No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or in any information storage or retrieval system without the prior written permission of Stanford University Press.

Printed in the United States of America on acid-free, archival-quality paper

Library of Congress Cataloging-in-Publication Data

Harboring data : information security, law, and the corporation / edited by Andrea M. Matwyshyn.

p. cm.

Includes bibliographical references and index.

9780804772594

1. Data protection--Law and legislation--United States. 2. Computer security--Law and legislation--United States. 3. Business records--Law and legislation--United States. I. Matwyshyn, Andrea M.

KF1263.C65H37 2009

342.7308’58--dc22

2009021883

Typeset by Bruce Lundquist in 10/14 Minion

Table of Contents

Title Page

Copyright Page

List of Tables

Acknowledgments

Author Biographies

SECTION I - Introducing Corporate Information Security

Introduction

1 - Looking at Information Security Through an Interdisciplinary Lens

SECTION II - The Dual Nature of Information—Information as a Consumer and Corporate Asset

2 - The Information Vulnerability Landscape

3 - Reporting of Information Security Breaches

4 - Information Security and Patents

5 - Information Security and Trade Secrets

SECTION III - U.S. Corporate Information Security Regulation and Its Shortcomings

6 - Information Security of Health Data

7 - Information Security of Financial Data

8 - Information Security of Children’s Data

SECTION IV - The Future of Corporate Information Security and Law

9 - Information Security and Contracts

10 - Information Security, Law, and Data-Intensive Business Models

Conclusion

Notes

Bibliography

Index

List of Tables

TABLE 2.1

TABLE 2.2

TABLE 4-1

Acknowledgments

Many thanks are due in connection with this volume. First and foremost, I thank the stellar group of authors whose work appears here. I am grateful to them not only for their insightful contributions to this compilation, but also for the years of conversations I have had with many of them. They have shaped my own thinking on information security issues.

Thank you to the Carol and Lawrence Zicklin Center for Business Ethics Research at the Wharton School at the University of Pennsylvania, and Director William S. Laufer and Associate Director Lauretta Tomasco, for continued financial support of my research. Thanks also to the superb staff of the Legal Studies Department at Wharton, particularly Tamara English and Mia Morgan, who facilitate my work daily and who provided indispensible support in connection with this text. In addition, I owe thanks to the Wharton undergraduates who assisted in preparing this book for publication, especially Jennifer Rowland and Bohea Suh.

Thank you also to Marcia Tiersky, Sharon M. Gordon, and Jacqui Lipton for their comments and critiques on preliminary versions of this volume. Finally, thanks are overdue to my parents for decades of support and encouragement in any and all ventures I have chosen to undertake.

Author Biographies

Editor

ANDREA M. MATWYSHYN is an Assistant Professor of Legal Studies and Business Ethics at the Wharton School at University of Pennsylvania. Her research and consulting focus on U.S. and international issues related to information policy, corporate best practices, data privacy, and technology regulation. Her most recent scholarship can be found at http://ssrn.com/author=627948.

Contributors

SARAH BLANKINSHIP is a Senior Security Strategist at Microsoft, working with hackers and InfoSec sellouts alike, one continent at a time. On good days she battles the asymmetry between attacker and defender together with the world’s best security response team, the Microsoft Security Response Center. On other days her diplomacy and firefighting skills are applied to some of the world’s most challenging security problems.

IAN BROWN is a Research Fellow at the Oxford Internet Institute, Oxford University, and an Honorary Senior Lecturer at University College London. His work focuses on public policy issues around information and the internet, particularly privacy, copyright, e-democracy, information security, networking and health care informatics. He frequently consults for governmental and corporate clients, both in the UK and abroad.

JENNIFER CHANDLER is an Assistant Professor of Law in the Common Law Section of the University of Ottawa School of Law and a leading Canadian expert in information security law. Her primary areas of interest relate to legal issues raised by new and evolving technologies, particularly information and communication technologies.

DIANA T. SLAUGHTER-DEFOE is the Constance Clayton Professor in Urban Education in the Graduate School of Education at the University of Pennsylvania. She was cited by the American Psychological Association for Distinguished Contributions to Research in Public Policy and received a Lifetime Professional Achievement Award from the alumni association of the University of Chicago. Her primary research interests are child development and early intervention and parent-child relations and school achievement.

LILIAN EDWARDS is a Professor at the University of Sheffield School of Law. Her major concern has been the substantive law relating to computers and e-commerce, with a European and comparative focus. Her research has centered on internet content (including pornography, libel, and spam); intermediary/ ISP liability on the internet; jurisdictional and other issues of international private law on the internet; privacy online; and consumer protection online.

KRIS ERICKSON is an Instructor in the Department of Geography at the University of Washington. His dissertation research focused on the role of the computer hacker community in the governance of cyberspace.

SHARONA HOFFMAN is Professor of Law and Bioethics, Co-Director of the Law-Medicine Center, and Senior Associate Dean for Academic Affairs at Case Western Reserve University Law School. She has published articles on employment discrimination, health insurance, disability law, biomedical research, the concept of race and its use in law and medicine, and health information technology.

PHILIP N . HOWARD is an Associate Professor in the Communication Department at the University of Washington. His research and teaching interests include political communication and the role of new media in social movements and deliberative democracy, work in new economy and e-commerce firms, and the application of new media technologies in addressing social inequalities in the developing world.

TOMASZ OSTWALD is a Senior Program Manager at the Microsoft Corporation. For the past ten years he has been involved in different aspects of security research. He has coauthored several security-related papers and been a speaker at security conferences, including BlackHat, CCC, and HackInTheBox.

CEM PAYA is an Information Security Engineer with Google. Before joining Google, he was a Senior Program Manager at the Microsoft Corporation, where he headed up security in Microsoft’s MPG unit, which encompassed all of Microsoft’s internet-based operations.

JON PINCUS’s current professional projects include Tales from the Net (a book on social networks coauthored with Deborah Pierce), starting a strategy consulting practice, and blogging at Liminal States and elsewhere. Previous work includes leading the Ad Astra project as General Manager for Strategy Development in Microsoft’s Online Services Group. His primary research interest is the implications of recasting the field of computer science as a social science.

ANDY PODGURSKI is an Associate Professor of Computer Science in the Electrical Engineering & Computer Science Department at Case Western Reserve University. He has conducted research on software engineering methodology and related topics for nearly twenty years, publishing extensively in these areas.

ELIZABETH ROWE is an Associate Professor of Law at the University of Florida, Levin College of Law. Professor Rowe’s scholarship addresses trade secrets and workplace intellectual property disputes. Before entering academia she was a partner at the law firm of Hale and Dorr, LAPEL, in Boston, where she practiced complex commercial litigation, including intellectual property, employment, and securities litigation.

GREG VETTER is a Professor at the University of Houston Law Center and Co-Director of the Law Center’s Institute for Intellectual Property and Information Law. He worked in software for nine years in both technical and business capacities before attending law school. In practice after law school, he obtained U.S. PTO registration as a patent attorney and joined the University of Houston Law Center faculty in 2002.

ZHENLIN WANG is an Assistant Professor in the Department of Early Childhood Education, Hong Kong Institute of Education. She received her Ph.D. in developmental and educational psychology from the Institute of Psychology, Chinese Academy of Sciences, in 2000 and is currently pursuing graduate study at the Graduate School of Education, University of Pennsylvania. Her primary research interests focus on children’s cognitive development and early childhood teaching and learning.

KIM ZETTER is an independent, award-winning investigative journalist who until recently was a staff reporter for Wired News, covering privacy, security, and public policy. Her series on security problems with electronic voting machines won two awards and was a finalist for a national Investigative Reporters & Editors award—the highest journalism honor after the Pulitzer. Her work has also appeared in Wired magazine, Salon, the Economist, PC World, the Los Angeles Times, the San Francisco Chronicle, and other publications.

SECTION I

Introducing Corporate Information Security

Introduction

Andrea M. Matwyshyn

IN JULY 2005, a hacker sitting in the parking lot of a Marshalls store in Minnesota used a laptop and a telescope-shaped antenna to steal at least 45.7 million credit and debit card numbers from a TJX Companies Inc. database.¹ When the breach came to light in 2007, TJX Companies estimated that it would cost more than $150 million to correct its security problems and settle with consumers affected by the breach.² In addition to TJX’s direct losses from this incident, which are estimated to be between $1.35 billion³ and $4.5 billion, ⁴ the company also faces losses from settlement payouts⁵ and, potentially, court-awarded damages.⁶

Perhaps the most troubling part of this information crime was its avoidability: TJX, a retailer worth approximately $17.4 billion had simply neglected its information security and was using a form of encryption on its wireless network that was widely known for years to be obsolete.⁷ The network through which the hacker accessed the database had less security on it than many people have on their home wireless networks.⁸ In other words, TJX made itself an easy mark for hackers.

TJX is not alone in its information security mistakes. Reviewing newspaper headlines on any given day is likely to yield an article about a corporate data breach. Otherwise sophisticated business entities are regularly failing to secure key information assets. Although the details of particular incidents and the reasons behind them vary, a common theme emerges: corporations are struggling with incorporating information security practices into their operations. This book explores some of the dynamics behind this corporate struggle with information security.

The Social Ecology of Corporate Information Security

The year 2007 was a record year for data compromise, and the trend continued upward in 2008. Estimates of the number of personally identifiable consumer records exposed run as high as 162 million for 2007 alone.⁹ For example, approximately one in seven adult Social Security numbers has already been compromised as a result of data breaches.¹⁰ Corporate data losses in particular are staggering: according to estimates, the value of each corporate record lost was approximately $197 in 2007,¹¹ and consequently, in 2007 U.S. corporations may have lost as much as $32 billion owing to information security breaches. Despite increasing media and consumer attention, corporate data leakage continues unabated. Why?

The reasons for the continuing escalation in data vulnerability are complex and include dynamics on three levels: the macro or societal level; the meso or group level; and the micro or individual level.

Macro Level—Networked Data, Information Crime, And Law

On the macro level, corporate hoarding of networked, aggregated consumer data, the expansion of information criminality, and the arrival of information security regulation have all affected the ecology of corporate information security.

Corporate Hoarding of Networked, Aggregated Consumer Data Over the past decade, the internet became a regular part of consumer economic behaviors, and a new economic environment emerged. A defining characteristic of this new commercial environment is widespread corporate collection, aggregation, and leveraging of personally identifiable consumer data. Consumers increasingly venture online to engage in information-sensitive activities, such as checking bank balances or transmitting credit card information in connection with purchases,¹² and for many consumers the purchasing of goods through the internet is a routine part of life.¹³ In the course of engaging in this routine, they leave a trail of information behind them.

Corporate entities began to see commercial opportunities in the wealth of readily available, personally identifiable data. Companies began to horde data; they started to collect as much information as possible about their customers in order to target products more effectively and to generate secondary streams of revenue by licensing their databases of consumer information.¹⁴ Because the internet allows large amounts of data to be exchanged by remote parties, internet data brokers emerged and further invigorated the market for collecting and reselling consumer data. They began to place a premium on consumer information databases and to change the way consumer data were valued in corporate acquisitions.¹⁵

In the broader business context, the business environment in our society has been dramatically altered by the integration of information technology into corporate governance and operations over the last two decades.¹⁶ Businesses have become progressively more technology-centric and, consequently, organized in large part around their unifying computer systems. Centralization arose because businesses sought to solve communication problems between parts of the company, and for many, overcoming these communication obstacles across machines became a corporate priority.¹⁷ The goal was to allow all parts of the organization to effectively interact with each other and communicate internal data.¹⁸ Business communications progressively shifted from real space to virtual space,¹⁹ and entirely new technology-contingent information businesses have arisen, such as eBay and Google.²⁰ Even the most traditional of companies began to experiment with internet sales through company websites. Increasing computerization and automation of businesses generated enterprise-wide computing and management ripe for data hoarding and leveraging.

Progressively, these new databases of both corporate proprietary information and personally identifiable consumer information became networked with each other and the outside world.²¹ Because these internet-mediated databases frequently operated in the context of a highly centralized corporate technology environment, a large attack surface for information theft was created. Preexisting centralization of computer systems made attacks on key targets easier: access into the system at any one of multiple points gives an attacker an avenue to compromise the targeted databases. In other words, the ease of sharing databases inadvertently resulted in the ease of attacking them.

Expansion in Information Crime These trends of corporate data hoarding and centralization did not go unnoticed by information criminals. As corporate databases of personally identifiable information became larger, they became progressively more useful for identity theft and extortion operations. The more sensitive the information contained in corporate databases, the more attractive the target.²²

Information thievery is highly lucrative.²³ By some estimates, the information crime economy is as lucrative as the drug economy for its participants, or even more so.²⁴ In particular, the involvement of organized crime in identity theft has brought an additional level of professionalization to these criminal enterprises. Information criminals are frequently highly technologically proficient and in some cases represent the bleeding edge of technology research and development. Although they innovate in a socially detrimental manner, they are unquestionably entrepreneurial;²⁵ information criminals adjust their behavior over time in response to industry anti-crime efforts. The competition between information criminals and information security professional is an arms race of sorts.

According to the Federal Trade Commission (FTC), the total economic costs of reported incidents of identity theft amount to approximately $50 billion per year to consumers and corporations.²⁶ As this statistic implies, information crime does not affect only consumers; it affects businesses as well. Information criminals harm business entities in the process of victimizing consumers. For example, phishing fraud losses alone measured between $500 million and $2.4 billion annually in the early 2000s.²⁷ Phishing presents a severe threat to corporate goodwill as well as to information security. The goal of phishing is to leverage the goodwill of a trusted services provider,²⁸ and through an email trick consumers into revealing personal financial information, usernames, passwords, Social Security numbers and the like.²⁹ Phishing attacks frequently include registered domain names that appear to be associated with the targeted company and otherwise infringe on the intellectual property of the targeted company. During a phishing attack, an assailant simultaneously victimizes both entities and their consumers with spoofing³⁰ emails to deceive recipients into believing that the email originated from a credible source with which the consumer may possess a trusted commercial relationship, such as a financial services provider.³¹ In some instances, information criminals will pretend to act on behalf of a company and use information stolen from that company to send out more effective phishing attacks directly to consumers.³² Because the consumer has a preexisting relationship with the company, the consumer is likely to be more easily victimized by this type of falsified communication. Similarly, legitimate email communications from business entities may be ignored by cautious consumers who mistake a legitimate communication for a phishing attack.³³ Consumers victimized by phishing attacks are frequently aware that the company whose email is spoofed is not directly responsible for the phishing attack. Nevertheless, such consumers may develop a negative view of the company, particularly if the victimized company does not aggressively and publicly pursue the attacker.

For example, Monster.com was recently compromised by hackers using stolen credentials to harvest data from the Monster job-seeker database. The harvested data were then used, among other things, for sending targeted messages to job seekers purported to be from Monster.com. These messages contained a malicious attachment,³⁴ a Trojan called Infostealer.Monstres, which uploaded more than 1.6 million pieces of personal data belonging to several hundred thousand people to a remote server.³⁵ The likely goal behind this attack on Monster.com was to facilitate the criminals’ subsequent phishing attacks on consumers. The criminals obtained information from Monster.com that was potentially directly useful for identity theft. But it was also useful for sending phishing emails that appeared to be highly credible and from an allegedly trusted source—Monster.com. As such, the information criminals not only compromised Monster.com’s databases, but also leveraged Monster’s name in their criminal phishing enterprise in order to compromise users’ machines.

The criminals who illegally accessed Monster’s records sought to compromise as many job seekers’ machines as possible not only for identity theft purposes but also for zombie drones.³⁶ The end-product of these types of phishing attacks is frequently the creation of zombie drone armies or botnets³⁷—coordinated groups of security-compromised consumer and corporate machines remotely controlled by criminals. Approximately 250,000 new zombies are identified per day³⁸ with approximately 100 million total zombies currently in operation, by some expert estimates.³⁹ Botnets are a significant threat to corporations. Organized crime syndicates have begun launching extortion rackets against businesses, threatening them with attacks from zombie drones in botnets.⁴⁰ Depending on the size of the army of zombie drones, such an attack could cripple a business, disrupting operations for an extended period of time. The attack may target a company directly, or the attacker may disrupt the infrastructure upon which the company relies. For example, according to the CIA, power outages in multiple cities have been traced to these types of cyberattacks.⁴¹ As such, national security interests are also clearly implicated.

Rise of Information Security Regulation Legally speaking, the field of information security regulation is in its infancy; it is a little over a decade old. In 1996, three years after the Mosaic browser was launched,⁴² questions of data security and privacy began to gain momentum within the United States, partially as a result of international influences. In 1995 the European Union passed the EU Data Directive.⁴³ The Data Directive took effect in November 1998,⁴⁴ and multinational business interests in the United States were concerned; they were beginning to increase investment in internet operations, and many had already established websites.⁴⁵ The Data Directive contains provisions that prohibit transfer of the data of any European person outside the European Union without consent, and they require contractual imposition of a minimum level of care in handling on any third parties receiving the data.⁴⁶ However, despite the EU’s aggressive stance toward data protection,⁴⁷ the United States did not have any consumer information security legislation⁴⁸ in effect until April 2000.⁴⁹

At this writing in early 2009, the information security legal regime adopted in the United States is a patchwork of state and federal laws. On the federal level, health data, financial data, and children’s data are statutorily regulated, through the Health Insurance Portability and Accountability Act,⁵⁰ the Gramm-Leach-Bliley Act,⁵¹ and the Children’s Online Privacy Protection Act,⁵² respectively. In addition to enforcing these statutory regimes, the Federal Trade Commission has instituted a number of prosecutions for inadequate security practices under unfair trade practices regulation.⁵³ On the state level, state data breach notification laws have been passed in over 80 percent of states since 2003.⁵⁴

However, much of information crime involves data not necessarily deemed particularly sensitive by federal statutes at present, and many entities that aggregate large amounts of information do not fall into any of the legal categories of restricted data set forth in the previous section. Therefore, not all business entities are currently proactively regulated by information security statutes. At most, state data breach notification statutes impose on them a duty to disclose the existence of a breach. Specifically, the biggest economic losses are not the result of illegal leveraging of the statutorily protected categories of data; rather, losses result from stolen personally identifiable information, such as Social Security numbers and credit card information, as was the case in the TJX breach.

Meso—Transitive Information Risks of Data and Reputation

On the mesosystem/interpersonal level, information vulnerability erodes commercial trust and imposes costs on third parties. Part of the reason for this erosion and cost transference arises from the nature of information risk. The impact of information risk is inherently transitive: a fundamental tenet of security is that a system is only as strong as its weakest links, not its strongest points.⁵⁵ This transitivity means that risk follows the information itself, and the security of the whole system depends on the lowest common denominator the security of the least secure trusted party. Therefore, a company’s information security is only as good as the information security of its least secure business partner. If a company shares sensitive corporate information with a business partner and that partner experiences a data leak, the negative effects to the shared data are similar to those that would have occurred if the first company had been breached itself. Stated another way, each time a company shares data, it acquires dependency on another company. Companies suffer economic harms and reapplications damage as a consequence of both their own suboptimal security practices and their business partners’ inadequate security practices.⁵⁶

For example, in the TJX breach detailed at the beginning of this chapter, TJX, the company that suffered the breach, was not the only affected business entity. Banks that had issued the compromised credit card numbers had to reissue those cards and blamed TJX for the cost of doing so. Not surprisingly, TJX found itself a defendant in several class-action suits as a consequence of its data breach. Litigants pursuing TJX for damages included not only consumers, but also a group of banking associations from Massachusetts, Connecticut, and Maine that included over 300 banks whose customers were implicated in the breach. In April 2007, these associations sued TJX, seeking to recover the dramatic costs that they absorbed to protect their cardholders from identity theft risks resulting from the TJX breach.⁵⁷ The banks argued that as corporate data breaches such as the TJX breach become more frequent and larger in scale, banks cannot continue to absorb the downstream costs of other companies’ information security mistakes.⁵⁸ As the TJX suits demonstrate, data breaches never occur in a corporate vacuum.

Micro—Recognizing Internal Corporate Deficits

Individual companies frequently ignore information security or believe the return on investment in information security to be inadequate. These suboptimal approaches result from, first, a failure to recognize the losses caused by weak information security, and second, an absence of thorough risk management planning.

Recognizing Asset Value Diminution and Resource Usurpation as a Consequence of Security Breaches Many companies do not yet recognize that security breaches cause losses: they diminish the value of corporate assets and usurp resources. Confidentiality, integrity, and the availability of corporate assets are all negatively affected by corporate information vulnerability and information crime. In fact, certain corporate assets, such as databases of customer information and preferences, are valuable only because they are confidential.⁵⁹ Similarly, corporate proprietary information protected solely by trade secret law could, in effect, lose all of its value in an information crime incident because the information’s status as a trade secret is entirely contingent on its confidentiality.⁶⁰ Ignoring information security can quickly become more expensive than investing in it. One data breach can greatly diminish the value of such an intangible asset.⁶¹ For example, the damage that a corporate insider can generate in one episode of information theft has been, in at least one instance, approximated to be between $50 million and $100 million.⁶²

Suboptimal security also jeopardizes the integrity of corporate systems. By some estimates, corporations sustained more than $1.5 trillion in losses in 2000 owing to security breaches, such as computer viruses.⁶³ In 2007 the average cost of a data breach rose to $6.3 million from $4.8 million in 2006.⁶⁴ Corporate integrity is further affected by a parallel diminution in brand value and corporate goodwill. A company considered to be vulnerable usually suffers bad press and a corresponding decrease in the value of its investments in brand identity building. A brand can become damaged in the minds of business partners and consumers if it is associated with lax information security.⁶⁵ Finally, some integrity losses are related to opportunity costs. Occasionally, certain types of vulnerabilities, such as name-your-own-price vulnerabilities, deprive a company of revenue it would otherwise have received.⁶⁶

The availability of other corporate assets also becomes limited when security issues arise. During an attempt to compromise a company’s network, a remote attacker may usurp technological resources such as bandwidth and employee time. Employee time devoted to responding to an incident does not diminish or end when the attack ends; numerous hours are subsequently logged performing forensic examinations, writing incident reports, and fulfilling other recordkeeping obligations. Finally, if a security incident results in a violation of consumer data privacy, the availability of capital is further diminished by expenses for fines, court costs, attorneys’ fees, settlement costs, the bureaucratic costs of setting up compliance mechanisms required by consent decrees, settlement agreements, and court decisions.

Changing Risk Management Planning For many companies struggling to implement information security throughout their organizations, building security into a legacy environment unfamiliar with information security principles is a challenge. Frequently, proponents of stronger security face internal corporate resistance to setting new security-related corporate priorities and investment levels.⁶⁷ In part because of such tensions in risk management planning, certain types of information security mistakes recur. The five most common information security errors visible today in corporate information security risk management include a lack of planning, nonresponsiveness to external reports of breaches, letting criminals in, theft by rogue employees, and a failure to update existing security.

Lack of Planning For the reasons elaborated in the preceding pages, there is a lack of adequate information security risk management in business worldwide. According to the fifth annual Global State of Information Security Survey conducted in 2007, a worldwide study by CIO magazine, CSO magazine, and PricewaterhouseCoopers of 7,200 information technology (IT), security, and business executives in more than 119 countries in all industries, companies are slow to make improvements in corporate information security.⁶⁸ Perhaps the most disturbing finding of the study was that only 33 percent of the responding executives stated that their companies keep an accurate inventory of user data or the locations and jurisdictions where data is stored, and only 24 percent keep an inventory of all third parties using their customer data.⁶⁹ Although data breaches are driving privacy concerns, encryption of data at rest, for example, remains a low priority despite its being the source of many data leakage issues.⁷⁰ Only 60 percent of the organizations surveyed have a chief security officer or chief information security officer in place. Similarly, 36 percent stated that their organizations do not audit or monitor user compliance with security policies, and only 48 percent measured and reviewed the effectiveness of security policies annually.⁷¹ Most companies responding to the study also indicated that their organizations do not document enforcement procedures in their information security policies, and only 28 percent of policies include collection of security metrics.⁷²

Ignoring External Reports One of the most easily avoidable information security mistakes is not taking external reports of problems seriously. Companies, and individual employees within companies, sometimes believe that quashing an external report of a vulnerability or breach will make the problem go away. For example, in November 2002, a security hole in the Victoria’s Secret website allowed a customer to access over 500 customers’ names, addresses, and orders. The customer who discovered the hole contacted Victoria’s Secret directly and advised Victoria’s Secret of the problem. Despite promises of data security in their website privacy policy, Victoria’s Secret employees informed the customer that nothing could be done. In anger, he contacted the press and the New York State attorney general. Victoria’s Secret was subsequently prosecuted by the New York State attorney general and ultimately entered into a settlement that included a $50,000 penalty.⁷³

Letting Criminals In Sometimes companies let hackers into their own databases because of inadequate monitoring practices. For instance, in February 2005, ChoicePoint, Inc., a data aggregator, revealed that it had sold data about more than 145,000 consumers to information criminals. According to the FTC complaint that resulted from this breach, ChoicePoint had prior knowledge of the inadequacy of its customer screening process and ignored law enforcement warnings of fraudulent activity in 2001. It willingly sold data to companies without a legitimate business need for consumer information, even in circumstances where these purchasers looked suspicious. According to the Federal Trade Commission at least 800 consumers became victims of identity theft as a result of this breach. Ultimately, ChoicePoint entered into a settlement agreement with the FTC, agreeing to pay a fine of $15 million.⁷⁴

Theft by Rogue Employees Companies frequently forget about internal threats to their security. The greatest threats to corporate intangible assets frequently arise from rogue employees. Limiting access by employees to sensitive information on a least privilege / need-to-know basis can be a critical step in avoiding information theft. For example, on June 23, 2004, a former AOL employee was charged with stealing the provider’s entire subscriber list of 37 million consumers (over 90 million screen names, credit card information, telephone numbers, and zip codes) and selling it to a spammer who leveraged and resold the information.⁷⁵ The software engineer who stole the data did not have immediate access to the information himself, but he was able to obtain it by impersonating another employee. Although the initial sale price of the list on the black market is unknown, the spammer paid $100,000 for a second sale of updated information with 18 million additional screen names. The list was then resold to a second spammer for $32,000 and leveraged by the first spammer in his internet gambling business and mass-marketing emails to AOL members about herbal penile enlargement pills.⁷⁶

Failure to Update Existing Security Revisiting the TJX data breach once more, the importance of viewing security as an ongoing process becomes apparent. Security cannot be viewed as an off-the-shelf product; vigilance and constant updating of security measures are mandatory. The encryption protocol that TJX used, WEP, was widely known to be broken for four years before the TJX breach.⁷⁷ It was common knowledge in the information security community at the time of the breach that RAPE could be easily compromised in one minute by a skilled attacker.⁷⁸ Companies must constantly reevaluate their information security measures in order to respond to changing criminal knowledge.

The Future of Corporate Information Security Policy

In the chapters that follow, this book engages in a bottom-up, multidisciplinary analysis of some of the changing corporate information security dynamics introduced to this point. As the previous sections have made clear, an analysis of corporate information security policy requires adopting an evolutionary approach that recognizes the emergent nature of information threats.

Chapter 1, Computer Science as a Social Science: Applications to Computer Security, argues the importance of adopting this multidisciplinary lens in analyzing information security. Jon Pincus, Sarah Blankinship, and Thomas Ostwald write that developing the best information security practices requires broadening the scope of our current perspectives on information security: Computer security has historically been regarded primarily as a technical problem: if systems are correctly architected, designed, and implemented—and rely on provably strong foundations such as cryptography—they will be ‘secure’ in the face of various attackers. In this view, today’s endemic security problems can be reduced to limitations in the underlying theory and failures of those who construct and use computer systems to choose appropriate methods. Although computer science is not traditionally viewed as a social science, problems in its domain are inherently social in nature, relating to people and their interactions. Pincus, Blankinship, and Ostwald argue that applying social science perspectives to the field of computer security not only helps explain current limitations and highlights emerging trends, but also points the way toward a radical rethinking of how to make progress on this vital issue.

Chapters 2 and 3 present two perspectives on the public-facing aspects of corporate information security. Chapter 2, Compromising Positions: Organizational and Hacker Responsibility for Exposed Digital Records, by Kris Erickson and Philip Howard, sets forth an analysis of the empirical extent of known corporate information security compromise. Erickson and Howard analyze over 200 incidents of compromised data between 1995 and 2007. They find that more than 1.75 billion records have been exposed, either through hacker intrusions or poor corporate management, and that in the United States there have been eight records compromised for every adult. They conclude that businesses were the primary sources of these incidents.

In Chapter 3, A Reporter’s View: Corporate Information Security and the Impact of Data Breach Notification Laws, Kim Zetter presents an insider’s view of how information about corporate information security breaches reaches the public. She says that [d]espite the passage of state-level data security breach notification legislation in many states, journalists still often have to rely on sources other than the companies and organizations that experience a breach for information about a breach—either because the breach is not considered newsworthy or because the data that are stolen do not fall into the category of data covered by notification laws. Journalists learn about breaches from a number of sources. Rarely, though, are companies or organizations that experienced the breach the first to reveal it. Zetter describes some of the practical limitations of data breach notification laws with regard to public disclosure of corporate security breaches. She says that companies fear that disclosing such information would place them at a disadvantage with competitors and make them vulnerable to lawsuits from customers as well as to other potential intruders.

In contrast to Chapters 2 and 3, Chapters 4 and 5 present two sets of internal corporate information security concerns relating to protecting intellectual property assets. In Chapter 4, Embedding Thickets in Information Security? Cryptography Patenting and Strategic Implications for Information Technology, Greg Vetter discusses the strategic concerns companies face in deciding whether to patent information security methods. Vetter argues that the full promise of cryptography for information security is unrealized. Companies are increasingly patenting security technologies in an effort to expand their portfolios and better protect corporate intangible assets. Cryptographic methods can enable authentication in an electronic environment and help secure information storage, communications, and transactions. Patenting in the field has expanded aggressively, and greater patent density, sometimes described as a thicket, affects both developers and users and brings with it the potential to chill innovation. This greater patent density, argues Vetter, suggests the need for countermeasures such as patent pooling, patent-aware standard setting by firms and the government, and portfolio management of patents.

Chapter 5, Dangers from the Inside: Employees as Threats to Trade Secrets, by Elizabeth Rowe, discusses the risks that rogue insiders present to corporate information security, particularly with regard to trade secrets. Says Rowe, The loss of a trade secret is particularly devastating to a company because a trade secret once lost is lost forever. The widespread availability and use of computers, together with an overall decline in employee loyalty, provides fertile ground for the dissemination of trade secrets. Rowe argues that the biggest computer security threats and accompanying threats to a company’s trade secrets originate with the company’s own employees. Put in criminal law terms, employees often have the motive and the opportunity that outsiders lack. Employees usually have legal access to the trade secret information by virtue of their employment relationship and can use that access to misappropriate trade secrets. Examples abound of employees who have either stolen trade secrets for their own or a new employer’s benefit, or have destroyed them completely by disclosing them over the internet. Recent statistics indicate that the large majority of computer crimes are committed by employees. Rowe provides background on trade secret law, presents examples of disclosures that have occurred using computers, and ends with some lessons for trade secret owners.

Chapters 6, 7, and 8 consider information security in connection with the three categories of statutorily protected data: health data, financial data, and children’s data. Chapter 6, Electronic Health Information Security and Privacy, by Sharona Hoffman and Andy Podgurski, addresses the regulatory, policy, and social impacts of electronic health data security vulnerabilities and the mechanisms that have been implemented to address them. The electronic processing of health information provides considerable benefits to patients and health care providers, but at the same time, argue Hoffman and Podgurski, it creates material risks to the confidentiality, integrity, and availability of the information. The internet creates a means for rapid dispersion and trafficking of illegally obtained private health information. The authors describe the wide-ranging threats to health information security and the harms that security breaches can produce: Some of the threats are internal, such as irresponsible or malicious employees, while other threats are external, such as hackers and data miners. The harms associated with improper disclosure of private medical data can include medical identity theft, blackmail, public humiliation, medical mistakes, discrimination, and loss of financial, employment, and other opportunities. In order to address security risks related to electronic health